CVE-2009-4925

creasito e-commerce content manager 1.3.16 - SQL Injection via Username Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4925. PoCs published by Salvatore Fresta.

AI-analyzed exploit summary This is a writeup describing an SQL injection vulnerability in creasito e-commerce content manager version 1.3.16, specifically an authentication bypass flaw. The exploit details how to bypass authentication by injecting SQL code into the username field.

Description

Multiple SQL injection vulnerabilities in Portale e-commerce Creasito (aka creasito e-commerce content manager) 1.3.16, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the username parameter to (1) admin/checkuser.php and (2) checkuser.php.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Salvatore Fresta · textwebappsphp
https://www.exploit-db.com/exploits/8497

This is a writeup describing an SQL injection vulnerability in creasito e-commerce content manager version 1.3.16, specifically an authentication bypass flaw. The exploit details how to bypass authentication by injecting SQL code into the username field.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: creasito e-commerce content manager 1.3.16
No auth needed
Prerequisites: magic_quotes_gpc = off
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/502818/100/0/threaded
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/8497
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34809
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/34605

Scores

EPSS 0.0091
EPSS Percentile 55.3%

Details

CWE
CWE-89
Status published
Products (1)
creasito/creasito_e-commerce_content_manager 1.3.16
Published Jul 12, 2010
Tracked Since Feb 18, 2026